10-21-2012 04:43 PM - edited 03-10-2019 07:42 PM
All,
We are currently evaluating ISE and I am stuck with the PEAP authentication (with Server side Cert).
Our current setup consists of two 5508 controllers, 30+ access point. For authentication we are using PEAP with (server side Cert). We have an IAS server which is also acting as a CA server.
We are using Cisco’s NAM as a supplicant on Windows XP & 7 workstations.
I would like to use ISE for authentication. I would like to use PEAP with Server side Cert (similar setup like IAS). I want ISE to perform the same function in addition to profiling etc.....
I was able to integrate ISE with Active Directory but could not get it working with PEAP (server side Cert).
Has anyone done this before? If yes then can you share step by step instructions?
I would also like to know if they used Microsoft’s CA server or Open SSL CA server or a third party CA server (Go Daddy, VeriSign etc.)
Can you we ISE as a CA server just the way we used Microsoft’s IAS Server as a CA Server?
Thanks in Advance
Ds
Solved! Go to Solution.
10-22-2012 12:32 PM
well not exactly but i used parts from here:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
I think you're good with what you done so far.
10-21-2012 07:34 PM
Answers inline:
Our current setup consists of two 5508 controllers, 30+ access point. For authentication we are using PEAP with (server side Cert). We have an IAS server which is also acting as a CA server. IAS and CA are two seperate roles that a windows server can run, just wanted to clear that up, that the IAS services still need a cert imported/signed for it to present a cert for PEAP server side certificate.
We are using Cisco’s NAM as a supplicant on Windows XP & 7 workstations. Good choice much better to control across different platforms
I would like to use ISE for authentication. I would like to use PEAP with Server side Cert (similar setup like IAS). I want ISE to perform the same function in addition to profiling etc.....
I was able to integrate ISE with Active Directory but could not get it working with PEAP (server side Cert). You will need to generate a CSR from the ISE server (Go to Administration > Certificates > Local Server Cert.. > Add > Generate CSR > then go to the CSR container and export your CSR
Has anyone done this before? If yes then can you share step by step instructions? This response should answer your question
I would also like to know if they used Microsoft’s CA server or Open SSL CA server or a third party CA server (Go Daddy, VeriSign etc.) Who is "they" if you are authenticating users within an enterprise where laptops are issues by the corporation then you should save the cost and use your internal CA (windows), if this is a campus environment (BYOD) then you should get a public CA.
Can you we ISE as a CA server just the way we used Microsoft’s IAS Server as a CA Server? No.
Thanks in Advance
Ds
Tarik Admani
*Please rate helpful posts*
10-21-2012 09:43 PM
I was able to generate the CSR from ISE. After generating CSR I exported the cert in a temp folder.
I have also installed a Microsoft CA server (windows 2008 R2) so the CA server can issue Cert to ISE. The problem I am having is CSR is in .PEM format and Microsoft does not understand that format. Therefore I used online tools to convert the cert in .DER or PKCS#12. But Microsoft doesn’t like it.
Do you have any suggestions?
Ds
10-21-2012 10:07 PM
The CSR should be in PEM format, my assumption is that you used the default SHA-256 to generate the request, try using SHA-1 and that should work.
Thanks,
Tarik Admani
*Please rate helpful posts*
10-22-2012 07:51 AM
Cisco recommends using 3rd party software to generate CRS, like openssl I did it and it worked fine.
I used godaddy cert (Go daddy glass 2), which on apple devices comes up as UNVERIFIED, so I don't know what's the point of buying it for PEAP (it does work for http ssl though).
For windows machines that are joined to a workgroup there is still a problem when users try to connect to a SSID,
eventhough you have a root cert as trusted on the machine, it comes up as unverified.
Seems like a windows7 bug, here is an article from windows.
http://support.microsoft.com/kb/2518158
and here
http://support.microsoft.com/kb/295663
Hope it helps.
10-22-2012 12:25 PM
Thanks Tarik !!! Selecting SHA-1 instead of SHA-256 did the trick. One step closer.
Do you have step by step instructions to complete the CSR on Windows 2008 R2. Should we use the GUI method or use the IIS interface?
edondurguti: I am ok to use Open SSL as a CA server and then submit the CSR to open SSL. Do you have written instructions to perform that task?
10-22-2012 12:32 PM
well not exactly but i used parts from here:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
I think you're good with what you done so far.
10-23-2012 12:59 PM
Thanks edondurguti. I ended up submitting my CSR to DegiCert and it worked like a champ.
Ds
10-31-2012 10:42 AM
I am unable to do machine and user authentication using PEAP. I am not sure what is wrong with my Authorization policies.
On ISE side it says authenticated (user and machine separately) but on the client side. It says limited or no connectivity.
I am using AnyConnect 3.1 on the client side as a supplicant
ISE version is 1.1.1 with patch 3.
WLC version is 7.2.103.0
Is there a compatibility issue?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide